Executive Summary

Summary
Title New mailman packages fix denial of service
Informations
Name DSA-955 First vendor Publication 2006-01-25
Vendor Debian Last vendor Modification 2006-01-25
Severity (Vendor) N/A Revision 1

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:C)
Cvss Base Score 7.8 Attack Range Network
Cvss Impact Score 6.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Two denial of service bugs were found in the mailman list server. In one, attachment filenames containing UTF8 strings were not properly parsed, which could cause the server to crash. In another, a message containing a bad date string could cause a server crash.

The old stable distribution (woody) is not vulnerable to this issue.

For the stable distribution (sarge) this problem has been fixed in version 2.1.5-8sarge1.

For the unstable distribution (sid) this problem has been fixed in version 2.1.5-10.

We recommend that you upgrade your mailman package immediately.

Original Source

Url : http://www.debian.org/security/2006/dsa-955

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:10038
 
Oval ID: oval:org.mitre.oval:def:10038
Title: Scrubber.py in Mailman 2.1.5-8 does not properly handle UTF8 character encodings in filenames of e-mail attachments, which allows remote attackers to cause a denial of service (application crash).
Description: Scrubber.py in Mailman 2.1.5-8 does not properly handle UTF8 character encodings in filenames of e-mail attachments, which allows remote attackers to cause a denial of service (application crash).
Family: unix Class: vulnerability
Reference(s): CVE-2005-3573
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:10660
 
Oval ID: oval:org.mitre.oval:def:10660
Title: Mailman 2.1.4 through 2.1.6 allows remote attackers to cause a denial of service via a message that causes the server to "fail with an Overflow on bad date data in a processed message," a different vulnerability than CVE-2005-3573.
Description: Mailman 2.1.4 through 2.1.6 allows remote attackers to cause a denial of service via a message that causes the server to "fail with an Overflow on bad date data in a processed message," a different vulnerability than CVE-2005-3573.
Family: unix Class: vulnerability
Reference(s): CVE-2005-4153
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application25

OpenVAS Exploits

DateDescription
2008-01-17Name : Debian Security Advisory DSA 955-1 (clamav)
File : nvt/deb_955_1.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
21723Mailman Message Processing Date Field Overflow
20819Mailman Scrubber.py utf8 Filename Processing DoS

Snort® IPS/IDS

DateDescription
2014-01-10utf8 filename transfer attempt
RuleID : 12597 - Revision : 6 - Type : SERVER-OTHER

Nessus® Vulnerability Scanner

DateDescription
2006-10-14Name : The remote Debian host is missing a security-related update.
File : debian_DSA-955.nasl - Type : ACT_GATHER_INFO
2006-07-03Name : The remote CentOS host is missing a security update.
File : centos_RHSA-2006-0204.nasl - Type : ACT_GATHER_INFO
2006-03-08Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2006-0204.nasl - Type : ACT_GATHER_INFO
2006-01-21Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-242-1.nasl - Type : ACT_GATHER_INFO
2006-01-15Name : The remote Mandrake Linux host is missing a security update.
File : mandrake_MDKSA-2005-222.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
DateInformations
2014-02-17 11:34:51
  • Multiple Updates